Two-Factor Auth - Implementation details #12102
Description
For ownCloud 8 we are aiming to implement Two-Factor authentication, the following requirements are given:
- Additions to core should be as minimal as possible. If possible parts should be implemented within an ownCloud application.
- Not to be implemented as
\OC_User_Backend, this approach has been tried in the past but is a major hack - Two-Factor Auth has to be compatible with all existing user backends without modifying them.
- Support application specific passwords (with Application we mean external application like mobile or web apps) - implementation should be generic to be able to reuse them for OAuth tokens (OAuth 2.0 support for ownCloud [$5] #10400). Application specific passwords will be valid for the whole ownCloud instance while OAuth tokens can be limited in the future then for specific scopes.
- The system should be pluggable to allow further authentication backends, per default it will support TOTP (Time-Based One-Time Password Algorithm) which is widely used.
- A personal console exists which:
- Allows to register new token devices
- Shows recently used token devices
- Allows to revoke recently used token devices
- An administrative console exists which:
- Allows admins to enforce enrollment for users
- Allows admins to view enrollment status
- Allows admins to view devices and revoke them
- If a revoked token is supplied the server will send back a statuscode which indicates that the token has been revoked
This issue is here to track the changes required for the change and also the required features. Any suggestions are welcome.
Todo:
- Refactor authentication from base.php into own classes (… in progress …)
- Add new authentication state ("2FA")
- Add code for 2FA app
- Add adapters for 2FA app
- Take pride and celebrate